Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange infection


  • This topic is locked This topic is locked
3 replies to this topic

#1 Jmadden

Jmadden

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted 19 January 2009 - 12:21 AM

I think I picked this up a week or so ago, been having increasingly strange problems since then and my Eset security has reported some random worms, can't remember there names but am running a scan at the moment to see if it picks them up still. I first noticed that when I click on any blank space (meaning no links) in my browser (firefox) a popup advertisement occurs. Then I noticed my top 2 or 3 google search results seemed to be getting redirected to ads also. So I ran eset scan then restarted in safe mode and ran it again in an attempt to remove it but it seems to have failed. I had read that windows update had come up with some new things for some new virus/spyware that was a big deal so I just now tried to run windows update and after clicking it, it opens up IE and directs me to what seems to be a bogus google page. I tried typing it manually and no luck. Now I try checking some things in my C: drive and when I try to open it it says "windows cannot find 'resycled\boot.com' and then try again. To search for a file, click the Start button, and then click search". This of course brings us to the point I am at now, so here is the log


DDS (Ver_09-01-18.01) - NTFSx86
Run by Joe at 0:09:06.14 on Mon 01/19/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1565 [GMT -5:00]

AV: ESET Smart Security 3.0 *On-access scanning enabled* (Updated)
FW: ESET Personal firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Curse\CurseClient.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Joe\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Tunebite_WebRipPlugin Class: {aa102584-3b97-47e7-b9bc-75d54c110a7d} - c:\program files\rapidsolution\tunebite\plugins\ie\TB_WebRipIePlugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [CurseClient] c:\program files\curse\CurseClient.exe -silent
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
uPolicies-explorer: HideClock = 0 (0x0)
mPolicies-explorer: NoResolveTrack = 1 (0x1)
mPolicies-explorer: NoFileAssociate = 0 (0x0)
mPolicies-system: NoDispSettingsPage = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: NameServer = 85.255.115.116,85.255.112.169
TCP: {E29EB0E4-4EAE-45EF-9012-BBBA47D83BF6} = 85.255.115.116,85.255.112.169
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\joe\applic~1\mozilla\firefox\profiles\b4emd16y.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - component: c:\program files\mozilla firefox\components\iamfamous.dll
FF - component: c:\program files\rapidsolution\tunebite\plugins\geckobased\tunebite-firefox-surf-and-catch-extension@audials.com\components\TB_WebRipFFPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\rapidsolution\tunebite\plugins\geckobased\tunebite-firefox-surf-and-catch-extension@audials.com\plugins\np_TB_OgloPlugin.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: network.prefetch-next - true
FF - user.js: nglayout.initialpaint.delay - 250
FF - user.js: layout.spellcheckDefault - 1
FF - user.js: browser.urlbar.autoFill - false
FF - user.js: browser.search.openintab - false
FF - user.js: browser.tabs.closeButtons - 1
FF - user.js: browser.tabs.opentabfor.middleclick - true
FF - user.js: browser.tabs.tabMinWidth - 100
FF - user.js: browser.urlbar.hideGoButton - false

============= SERVICES / DRIVERS ===============

R4 ekrn;Eset Service;c:\program files\eset\eset smart security\ekrn.exe [2007-12-21 468224]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-11 24652]
S0 tclondrv;tclondrv;c:\windows\system32\drivers\tclondrv.sys --> c:\windows\system32\drivers\tclondrv.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2008-6-27 332928]

=============== Created Last 30 ================

2009-01-15 10:40 <DIR> --d----- c:\docume~1\joe\applic~1\ESET
2009-01-15 10:39 <DIR> --d----- c:\program files\ESET
2009-01-14 13:59 <DIR> --d----- c:\program files\Bonjour
2009-01-14 03:31 344,064 a------- c:\windows\system32\msvcr70.dll
2009-01-12 02:44 <DIR> --d----- c:\docume~1\joe\applic~1\Crayon Physics Deluxe
2009-01-12 02:31 <DIR> --d----- c:\program files\Crayon Physics Deluxe
2009-01-12 02:28 255 ---shr-- C:\autorun.inf
2009-01-08 04:09 <DIR> --d----- c:\program files\mp3DirectCut
2009-01-08 04:00 <DIR> --d----- c:\program files\Audacity
2009-01-08 03:38 34 a------- c:\windows\system32\oeminfo.ini
2009-01-08 03:34 <DIR> --d----- c:\program files\Ashampoo
2009-01-08 03:27 <DIR> --d----- c:\program files\PixiePack Codec Pack
2009-01-08 03:26 <DIR> --d----- c:\program files\RapidSolution
2009-01-08 03:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\RapidSolution
2009-01-08 03:20 <DIR> --dshr-- C:\resycled
2009-01-08 03:01 <DIR> --d----- c:\docume~1\joe\applic~1\Wireshark
2009-01-08 02:58 <DIR> --d----- c:\program files\WinPcap
2009-01-08 02:57 <DIR> --d----- c:\program files\Wireshark
2009-01-08 02:26 <DIR> --d----- c:\docume~1\joe\applic~1\iTunes Agent
2009-01-08 02:26 <DIR> --d----- c:\program files\iTunes Agent
2009-01-08 02:02 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-01-08 01:58 26,368 ac------ c:\windows\system32\dllcache\usbstor.sys
2009-01-08 01:36 24,192 a----r-- c:\windows\system32\drivers\OLD6D4F.tmp
2009-01-08 01:36 26,112 ac------ c:\windows\system32\dllcache\usbser.sys
2009-01-08 01:36 26,112 a------- c:\windows\system32\drivers\usbser.sys
2009-01-08 01:35 <DIR> --d----- c:\program files\Motorola Phone Tools
2009-01-08 01:34 116,736 a------- c:\windows\system32\drivers\mcdbus.sys
2009-01-08 01:34 <DIR> --d----- c:\program files\MagicDisc
2009-01-07 13:55 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-01-07 13:54 <DIR> --d----- C:\0036c9eb2fd51f4f95
2009-01-07 13:54 <DIR> --d----- C:\de54836ac8f44ad36ec23dca2f7323
2009-01-07 13:53 <DIR> --d----- c:\windows\system32\LogFiles
2009-01-05 12:52 509,448 a------- c:\windows\system32\XAudio2_2.dll
2009-01-05 12:52 68,616 a------- c:\windows\system32\XAPOFX1_1.dll
2009-01-05 12:52 238,088 a------- c:\windows\system32\xactengine3_2.dll
2009-01-05 12:52 1,493,528 a------- c:\windows\system32\D3DCompiler_39.dll
2009-01-05 12:52 3,851,784 a------- c:\windows\system32\D3DX9_39.dll
2009-01-05 12:52 467,984 a------- c:\windows\system32\d3dx10_39.dll

==================== Find3M ====================

2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-12-01 04:11 77,364 a------- c:\windows\War3Unin.dat
2008-12-01 04:08 139,264 a------- c:\windows\War3Unin.exe
2008-12-01 04:08 2,829 a------- c:\windows\War3Unin.pif
2008-11-09 14:25 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-11-09 14:20 409,600 a------- c:\windows\system32\wrap_oal.dll
2008-11-09 14:20 114,688 a------- c:\windows\system32\OpenAL32.dll
2008-11-09 13:25 21,640 a------- c:\windows\system32\emptyregdb.dat
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll

============= FINISH: 0:09:18.59 ===============

Attached Files


Edited by Jmadden, 19 January 2009 - 12:56 AM.


BC AdBot (Login to Remove)

 


#2 Jmadden

Jmadden
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted 19 January 2009 - 12:38 AM

Quick little update upon searching my quarantine section of ESET I discovered this stuff.

Variants of Kryptik.eh trojan
INF/Autorun virus
Probably a variant of autorun.ABH worm
Agent.odg virus

#3 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:10 AM

Posted 26 January 2009 - 05:40 AM

Hi

If you still need help with this post a fresh DDS log, please.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:10 AM

Posted 30 January 2009 - 10:39 AM

Due to inactivity, this thread will now be closed. If you still have problems, please start a New Topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users